Grafana 8 before version 8.3.1 is vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is <grafana_host_url>/public/plugins/<"plugin-id">, where <"plugin-id"> is the plugin ID for any installed plugin.
Grafana 8 before version 8.3.1 is vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is <grafana_host_url>/public/plugins/<"plugin-id">, where <"plugin-id"> is the plugin ID for any installed plugin.
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p https://github.com/grafana/grafana/commit/00e38ba555cfb120361c9623de3285d70c60172f
Workaround ========== The issue can be mitigated by running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. For example, the normalize_path setting in envoy.